White House Unveils Final Trusted Identities in Cyperspace Proposal

By Fahmida Y. Rashid |
Posted 2011-04-15

The
White House unveiled guidelines for establishing secure online credentials to
boost confidence and business online.

The
Department of Commerce unveiled the plans for National Strategy for Trusted
Identities in Cyberspace at a release event on April 15 to protect the privacy
and security of Internet users by encouraging the creation of secure and
reliable online credentials for consumers who want to use them.

"The
fact is that the old password and username combination we often use to verify
people is no longer good enough," Commerce Secretary Gary Locke said at the
event. The current system leaves "too many consumers, government agencies and
businesses vulnerable" to identity
thieves and criminals intent on stealing information, Locke said.

The
identity ecosystem would revolve around credentials stored outside of the
actual Website, application or service, and would eliminate the need for unique
passwords, Locke said.

With
the increasing amount of identity theft and online
fraud, consumers don't trust the Internet. "It will not reach its full
potential, commercial or otherwise, until users and consumers feel more
secure," Locke said.

The
technologies described in NSTIC would allow online users to stop using unique
passwords on each site and instead use a set of credentials that are accepted
by multiple sites. The goal is to not have just one trusted identity technology
or provider, but to have several and let users choose which ones to use.

Since
consumers will be able to choose among a diverse market of different providers
of credentials, there will be no single, centralized database of
information. Consumers can use their credentials to prove their identity
when they're carrying out sensitive transactions, like banking, and can stay
anonymous when they are not, said privacy advocate Susan Landau, a fellow at
Harvard University who was on the panel discussing the latest NSTIC plan.

Under
the identity ecosystem, online businesses will collect the minimal amount of
information necessary from credential providers in order to process the
transaction. For example, if a consumer wanted to buy alcohol online, the only
identity information the business needs is to confirm that the consumer is over
21, Matthew Gardiner, director of security at CA Technologies, told eWEEK.

"Working
together, innovators, industry, consumer advocates and the government can
develop standards so that the marketplace can provide more secure online
credentials, while protecting privacy, for consumers who want them," said
Locke.

A
single issuer of identities creates unacceptable privacy and civil liberties
issues, which is why the focus is on having several trusted identity
credentials that consumers can choose between. Perhaps the user will apply one
set of credentials when researching health topics and use another when trying
to get free shipping. The key is to adjust identity requirements to the task on
hand.

This
is not a government-mandated national ID program, Locke insisted. "We
don't think that's a good model, despite what you might have read on blogs
frequented by the conspiracy theory set," Locke said.

Initially
proposed
in June, the plan has not changed much since the previous draft
plan unveiled in January, although the final version has stronger language
emphasizing that NSTIC will be driven by the private sector and strictly
voluntary.

"It
gives consumers more control and more choice about their online identities. It
makes it clear that it's voluntary," Leslie Harris, president and CEO of
privacy advocacy group Center for Democracy and Technology, said on the panel.

The
secure credential could be a piece of software on a mobile device, a smartcard
or a small token that generates one-time passwords. The technology will come
from the private sector, and the government will collaborate by developing
necessary standards and policies to implement the ecosystem.

"We
also want to spur innovation, not limit it," Locke said.

As
part of the event, there were several companies demonstrating their existing
technologies that can be used to create the proposed identity ecosystem. CA
Technologies showcased its identity and access management platform, including
CA SiteMinder, CA Arcot WebFort and CA Arcot RiskFort. Certipath and Microsoft
also were part of the demonstration.

The
National Institute of Standards and Technology will host three workshops to
focus on problems with development and adoption of these online authentication
technologies. Businesses, consumer groups, privacy advocates and any other
interested people will be invited to attend. The plan is to have several
trusted identity projects to be launched in 2012, with the goal of having a
robust trusted identity market in three to five years.

Identity
theft affected about 8.1 million U.S. residents in 2010, according to Locke.
The Department of Commerce estimates that a company with 500 employees spends
$110,000 a year managing employee identity.